Impersonating users by abusing broken “Sign in with” implementations

Many applications using "Sign in with GitHub" have been found vulnerable due to relying on mutable identifiers, such as usernames, to match external users to internal systems, which can allow attackers to take over accounts if a GitHub username is changed. Users who have changed their GitHub username are advised to create a new account with the old username to prevent unauthorized access. The vulnerability arises because usernames on GitHub can be changed, but the internal system of the web application does not update this information, potentially allowing someone to claim the old username and access the account. The use of OAuth 2.0 or OpenID Connect for federated login is common, but applications should use immutable properties like user IDs instead of usernames to match users. The issue is potentially widespread because many applications may unknowingly have this vulnerability; therefore, raising awareness is crucial for immediate action and mitigation.